Microsoft has released an out-of-band security bulletin (MS10-070), for the ASP.NET "information disclosure" vulnerability.

The short version of the vulnerability is that exploiting it generates unintended error messages containing information that an attacker may be able to use to view or compromise data.

According to the bulletin, any applications running on the ASP.net platform are vulnerable. It also indicates Microsoft is aware of current, limited attacks against the vulnerability.

SANS raised their InfoCon Alert from Green to Yellow for this vulnerability, to "raise awareness for this problem and patch." The notice on the SANS blog also links to a much more detailed explanation of the attack.

An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction. The SMS message may also include transaction data that allows you to ensure that nothing has been modified (via a Man-in-the-Browser attack).

Windows OS based online banking is constantly under attack from phishing, pharming, cross-site scripting, and password stealing trojans. Adding an "outside" device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game, and we've often predicted it's only a matter of time before some banking trojan focused on phones.

Enter case Mitmo: S21sec, a digital security services company, posted on their blog on Saturday: ZeuS Mitmo: Man-in-the-mobile. The ZeuS variants they've discovered (which we detect as Trojan-Spy:W32/Zbot.PUA and PUB) ask for mobile phone details and then send an SMS with a download link based on the answers given by the victim.

We've analyzed the Symbian component (which we detect as Trojan:SymbOS/ZeusMitmo.A) and can confirm S21sec's research. The Symbian file, cert.sis, calls itself "Nokia update" and is Symbian Signed for S60 3rd Edition mobile phones.

It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot.PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It's been developed by individuals with an excellent understanding of mobile applications and social engineer. We expect that they'll continue its development.

Like it or not, Twitter is important. It is not only used for chit-chat, but it has turned out to be the fastest way to get eye-witness reports from people who are on location whenever something happens.

So it feels quite unpleasant when something like yesterday's attacks happen. Suddenly a service we've started to rely on is out of order -- because of some stupid worm? One moment you're catching up with the latest Tweets, and suddenly you've somehow resent a viral message to all of your followers.

And the antivirus program you've bought won't help you. No matter how hard you scan your system, there's nothing there. The worm isn't on your computer: it's on some Twitter server farm in some data center somewhere.

This is part of what we call the cloud. Once we start to use cloud services more and more, we also give up the control of our data. If you have your documents on your computer, you can encrypt and secure them. If you store them on a cloud service, you have to hope that someone else does it for you. Same thing with your communication.

Twitter worms are quite different from the more sinister trojans we see attacking the Windows operating system. Most of the Twitter worms are made just for testing, or for fun. Very few try to steal information or to make money. They are created by the same kind of curious tinkerers that 10 years ago would have been writing Internet worms, just to see how quickly they would replicate.

My recommendation? Twitter should establish a bounty for finding major new security vulnerabilities in their system.

Maybe some of these online hackers would be more interested in cashing in than writing yet another system-breaking worm for their amusement.

His version of onMouseOver worm did nothing more spread itself and could be deleted. And because it merely spread itself, Holm considers his version of the worm to have been harmless. Many authors of yesteryear's Internet worms thought the same.

Unfortunately, a "harmless" worm doesn't stay harmless for very long and there soon came a more aggressive onMouseOver worm, written by a seventeen-year-old using the alias Matsta.

While Twitter's security team is scrambling to close this loophole, we expect problems to continue. It's perfectly possible that there will be more malicious attacks, possibly combining this technique with browser exploits.

In the meanwhile, we recommend you either:

• Log out of Twitter • Use client programs to access Twitter instead of using twitter.com • Turn off JavaScript

On September 19th and 20th, over 600 sites, mainly in Malaysia and Indonesia, were temporarily listed by Google as potentially harmful*. The roll call of sites affected include many of Malaysia's major online media sites, including TheStar, Malaysiakini, Berita Harian and the Malaysian Insider.

The issue was traced to ads unintentionally served on the affected sites by a third party ad provider, which were pointing to malware sites. The ad service has since announced that the offending material has been removed and that Google has reviewed their site. Most major websites affected also appear to have been cleaned.

Actually, compromised ad servers (and their knock-on effect on associate websites) are nothing new. What is interesting to note in this case is the disproportionate affect it had on an entire country's online community.

It's hard to imagine this incident occurring in Finland, the US or the UK. In those mature online markets, the level of computer security is generally higher; and there are more ad services, reducing the impact a compromised ad service might have.

But not all countries enjoy those advantages. That's especially true of countries only just coming online, who are still growing their online population and developing an online market.

In Malaysia's case, the attack was something of a perfect storm. Malaysia has a relatively small online population of approximately 17 million users; these users depend on a small handful of high-traffic local sites; these sites coincidentally shared the same third-party ad service.

Once that ad service was compromised, it was like throwing a big stone into a small pond — the ripples spread far and wide. In this case, it really didn't take much to inconvenience an entire country's online population.

Online Gossip Magazine Radar Online is reporting that NBA star Shaquille O'Neal is facing a lawsuit accusing him of hacking, destroying evidence and indicating that he attempted to frame an employee by planting child pornography on his computer.

According to the lawsuit, O'Neal also threw a personal computer in the lake behind his home.

O'Neal (widely known by his nickname 'Shaq') is one of the most famous professional basketball players in the world and one of the wealthiest sport stars overall.

Mr. O'Neal is active online with his "THE_REAL_SHAQ" Twitter account, but so far he has not commented on these latest allegations.

For us who work with computer security, it's a bit hard what to make of these allegations. Listening to someone else's voicemail isn't very hard at all, neither is trying to hide computer evidence by throwing a laptop into a lake. As such, we wouldn't categorize Mr. O'Neal as a hacker. But I guess we'll learn more when the case progresses.

"There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows."

Flash Player will be patched the week of September 27, 2010. Flash technology is also embedded in Reader and Acrobat. They'll be patched during the week of October 4, 2010, at which point, this vulnerability will also be addressed.

We've received some media inquires about an e-mail worm that's being called "Here you have".

The name is based on the subject lines used by the worm. It isn't anything very special, just your run-of-the-mill worm that requires its recipients to click on included links. The links supposedly open to either documents or videos, but it is really just a disguised executable called something such as PDF_Document21_025542010_pdf.scr.

Screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links. Our antivirus already detected this threat before it was used by this particular "Here you have" run of e-mails. We detect it has Gen:Trojan.Heur.rm0@fnBStPoi.

The files to which the links attempted to connect were taken offline rather quickly, so it was not widespread in Europe where it was too early in the morning to snare anybody.

In the USA, several big companies noticed the worm moving through their systems.

The links reportedly did not spread much from "Company A" to "Company B" as e-mail filtering systems caught the inbound/outbound threat. But within organizations, if the executable was downloaded and run, the worm attempted to steal browser passwords, and then to spread via contacts. Internal e-mail filtering is not as common and there is also a networking share component used by the worm, so within some companies, its spread was highly noticeable.

E-mail worms have not been "fashionable" for some time now as antivirus vendors are quick to detect and block them and antispam technologies are quite effective at filtering them. But just because a threat isn't fashionable doesn't mean that best practices shouldn't be followed.

Don't readily click on links that arrive via e-mail, even if they are sent by people that you ordinarily trust.

Two flaws that are of interest are related to image handling vulnerabilities that could allow for arbitrary code execution.

Last month, JailbreakMe 2.0 was released which used a combination of two vulnerabilities: CVE-2010-1797 and CVE-2010-2973.

JailbreakMe users can (using an unofficial fix) patch CVE-2010-1797, the vulnerability exploited by a PDF document with maliciously crafted embedded fonts. It should be interesting to see if unofficial patches for these new vulnerabilities are developed as some of them could possibly be used with CVE-2010-2973, putting JailbreakMe users at risk to remote attack.

In here the lab, we're always interested in all things mobile, so we took another look at All Facebook's post. In an update, they show that the spam was also spreading via messages.

And there is a link visible in the screenshot pointing to artcentertransportation.com:

That site is registered to a "Jane Doe" and is hosted in the USA by Dynamic Dolphin. Visiting the URL from Finland simply redirects to another site called Wixawin (via tracklead.net) which offers "Mobile Entertainment". And what kind of entertainment do they offer?

The kind that could cost you upwards of €17.50 per month in subscription fees.

This is what you'll see if you attempt to visit Wixawin with our Mobile Security Browsing Protection enabled.

The affiliate ID that appears to be behind much of this mischief is: "affiliateid=WANE". Perhaps the spam was being posted via Mobile Web so that it included the necessary referrer?

In any case, let's hope that the affiliate network revokes whatever leads this spammer may have made.

A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to "share" the application to the user's Wall.

See the search results below:

Note that each of search results were posted "via Mobile Web", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.

It's also interesting that the application links seem almost polymorphic or Captcha-like.

All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.

In today's episode of What Can You Find On the Web, we give you an online store for purchasing fake passports that we ran into.

Prices of these range from $650 to $1000. They don't seem to (yet?) offer passports with embedded RFID chips.

Some screenshots:

Updated to add: We can now confirm the site's URL was mynewpass.com and it has been taken offline by the hosting company. Unfortunately there are copies of the site still operating elsewhere in the world.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.

So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".

If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).